Pages

Wednesday, 5 May 2010

The Client Access Server Role Pt3

Exchange 2010 and Mobile Devices

Mobile devices like PDAs and mobile phones can connect to Exchange 2010 to send/read email messages and other items such as calendar, contacts and tasks. The technology behind this is ActiveSync. ActiveSync is based on HTTP/HTTPS and is designed to connect mobile devices across the Internet.

Enabling/Disabling ActiveSync

ActiveSync is on by default but you can turn it off by configuring IIS on the CAS. To do this do the following:

By default users can synchronize any ActiveSync capable device with Exchange. You can prevent users from connecting with specific devices by using a devices 'Device ID'. However, you should understand that you can only determine this value once an ActiveSync device has connected and synchronized with Exchange.

The device ID can be determined by using the Get-ActiveSyncDeviceStatistics:

The DeviceID is based on International Mobile Equipment Identity. As mentioned this can be obtained once synchronization has ocurred. You can get the number by typing *#06# on the mobile device.
You can add the device to a block list by typing the following:

[PS] Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs 356059038180488

You can block every device except the device you want to use by the following command:

With the above command every device is blocked except this one.
To clear the device id from the block list and the allowed list type the above commands but use $null instead of the IMEI number:

[PS]Set-CASMailbox [alias] -ActiveSyncBlockDeviceIDs $Null

Mobile Device Policies

Different devices used by your users have different features and settings. You can define which features and settings are provided for your users by establishing Mobile Device Polices. By default, a single policy is built and is visible:

1. In the EMC, browse to Organization Configuration, Client Access node
2. Select Exchange ActiveSync Mailbox Policies
3. You should see a policy called default

This policy is applied to all your users.

Create A New Mobile Device Policy
You can create a new policy in the EMS by typing the following:

[PS] New-ActiveSyncMailboxPolicy "Managers"

This creates a new policy with default settings and in this scenario the policy will be used for company managers.

Set the New Policy to Users and Groups

You can define which groups/users should use the new policy by the following:

Once users and groups have been assigned you can control which features you want to be enabled/disabled.

These include the following features:

Removable storage

Camera

Wireless network adapter

Infrared port

Internet sharing

Remote desktop

Synchronization with a PC

Bluetooth functionality

These features can be turned off using the EMS. For example,

[PS] Set-ActiveSyncMailboxPolicy "Managers" -AllowCamera $false

This will turn off the use of the camera on the mobile device. However, this does depend on the device model and only really applies to Windows Mobile Devices.

Manage Synchronization Settings

You can also control synchronization settings. This would include the following items: How old emails and calendar items have to be before they are no longer synchronized Maximum size of email attachments Direct Push which pushes email to devices and does not require manual or pre-defined time synchronization at the device end Formatting of messages to HTML or text

This will allow maximum email size to be 75KB and disable attachments.

Protection of Mobile Devices

Protection of devices is essential. A first step is ensuring password protection on the device. The password requirements can be quite granular:

As you can see the password setup can be quite involved. You can see from the above diagram that the number of failed attempts is set to 8. Anymore than this and the device is wiped clean destroying all data stored on the device! So I suggest you select Enable Password Recovery. If you do this a secondary password is generated and maintained on Exchange. An administrator can obtain this password as can the user via OWA.

If the administrator requires access to the recovery password simply select the users mailbox using the EMC and in the action pane click the Manage Mobile Phone option. The recovery password is displayed which can then be given to the user.

A user that has forgotten her password can determine the recovery password by going through control panel in OWA.

The recovery password can also be obtained using the EMS. You will need to enable the ShowRecoveryPassword parameter in order for the password to be displayed. Try the following:

You can perform a remote wipe of a lost or stolen device. When I say wipe I really mean WIPE! Data on the device and any storage cards will be erased. The process can be performed using both console and shell. To perform a wipe using the shell, perform the following 2 steps:

1. Get a list of devices for the unfortunate user

[PS] Get-ActiveSyncDeviceStatistics -Mailbox "Andrew" | fl Identity

2. Wipe the device using the returned device ID

[PS] Clear-ActiveSyncDevice -Identity [DeviceIdentity]

You can also perform the same thing and send a notification email to inform the person of the wipe (just to keep them happy!)